Focus

PAN-OS OpenConfig Administrator’s Guide

Routing Policy Behavior

Table of Contents

Routing Policy Behavior

PAN-OS specific behavior for the openconfig-routing-policy model.

Review the deviation file before using the openconfig-routing-policy model to familiarize yourself with supported paths.

Because the openconfig-routing-policy model has no implicit router, PAN-OS uses a unique naming convention to enable the routing policies to apply to the correct virtual router. See Manage Routing Policies to see an example mapping of policies to the virtual router.

When using the openconfig-routing-policy model with PAN-OS:

To avoid conflicts, only use unique redistribution profiles for each routing policy.
Avoid having unused redistribution profiles.
Defined-sets only belong to redistribution profiles.
Policy definitions map to the routing protocols in exports.
In the statements/actions/ospf container, this action affects the export action link in OSPF, not the redistribution profile.
Conditional advertisements are not supported.
You cannot name rules with CIDR/IP.
In conditions, only 1 interface can be added per OSPF area per statement.
Statements and policy definitions refer to the same object, so a delete can only happen at the policy-definition level.

Not every naming element in the naming convention is required for a successful configuration.

The following are generally the steps followed to successfully configure a routing policy with OpenConfig:

Define defined-sets which include neighbor-sets (host IPs) and prefix-sets (network CIDR)
Define policy-definitions that include statements with conditions that reference defined-sets, interfaces, and policy actions.
(Optional) Within the network-instances container of the routing policy, define the 3 connections, source protocol, destination protocol, and IP version that use the policy-definition defined in step 2.

Supported Tags

The following are a list of Protocol Tags available with v1.1’s openconfig-routing-policy model.

ospf
bgp
bgpimporttag
bgpexporttag

OpenConfig Defined Sets

Under the openconfig-routing-policy/defined-sets container the following naming schema directs the container to the appropriate router:

Virtual Router Name+ Protocol Tag + Object Name

The following code block shows an example of the naming conventions applied to do defined sets.


{
            "routing-policy": {
              "defined-sets": {
                "neighbor-sets": {
                  "neighbor-set": [
                    {
                      "config": {
                        "address": [
                          "192.168.11.2"
                        ],
                        "name": "cgd+redis+redis-fr-connect"
                      },
                      "name": "cgd+redis+redis-fr-connect"
                    }
                   ]
                },
                "prefix-sets": {
                  "prefix-set": [
                    {
                      "config": {
                        "mode": "IPV4",
                        "name": "cgd+redis+redis-fr-connect"
                      },
                      "name": "cgd+redis+redis-fr-connect",
                      "prefixes": {
                        "prefix": [
                          {
                            "config": {
                              "ip-prefix": "2.2.2.2/32",
                              "masklength-range": "exact"
                            },
                            "ip-prefix": "2.2.2.2/32",
                            "masklength-range": "exact"
                          }
                        ]
                      }
                    }
                  ]
                }
              },

OpenConfig Policy Definitions

Under the openconfig-routing-policy/policy-definitions container the following naming schema applies to direct the container to the appropriate protocol:

Virutal Router Name+Protocol Tag+ Object Name

The policy statements are defined by the Object Name:

The following code block shows an example of defining policies using the naming convention and previously defined neighbor sets.

              "policy-definitions": {
                "policy-definition": [
                  {
                    "config": {
                      "name": "cgd+bgp+redis-fr-connect"
                    },
                    "name": "cgd+bgp+redis-fr-connect",
                    "statements": {
                      "statement": [
                        {
                          "actions": {
                            "config": {
                              "policy-result": "ACCEPT_ROUTE"
                            },
                            "bgp-actions": {
                              "config": {
                                "set-local-pref": 4000,
                                "set-med": 321,
                                "set-route-origin": "INCOMPLETE"
                              },
                              "set-community": {
                                "config": {
                                  "method": "INLINE",
                                  "options": "REPLACE"
                                },
                                "inline": {
                                  "config": {
                                    "communities": [
                                      "4000:1234"
                                    ]
                                  }
                                }
                              },
                              "set-ext-community": {
                                "config": {
                                  "method": "INLINE",
                                  "options": "REPLACE"
                                },
                                "inline": {
                                  "config": {
                                    "communities": [
                                      "target:4000:1234"
                                    ]
                                  }
                                }
                              }
                            }
                          },
                          "conditions": {
                            "match-interface": {
                              "config": {
                                "interface": "ethernet1/1"
                              }
                            },
                            "match-neighbor-set": {
                              "config": {
                                "neighbor-set": "cgd+redis+redis-fr-connect"
                              }
                            },
                            "match-prefix-set": {
                              "config": {
                                "prefix-set": "cgd+redis+redis-fr-connect"
                              }
                            }
                          },
                          "config": {
                            "name": "redis-fr-connect"
                          },
                          "name": "redis-fr-connect"
                        }
                      ]
                    }
                  }
               ]
          }
      } 
}

Mapping of the Routing Policy to Fields in PAN-OS

The following images display the mapping of container in OpenConfig to fields in PAN-OS on a virtual router:

The following displays the mapping of the routing policy in virtual router on the OSPFv2 tab:

Streaming Telemetry for the Routing Policy

The OpenConfig plugin supports all methods of streaming described in OpenConfig Telemetry on PAN-OS. This includes PROTOJSON support for encoding.

Below is an example of how you could stream changes to the routing policy from a gnmi client.

gnmic -u <username> -p <password> -a <ipaddress>:<portnumber> --encoding json_ietf --timeout 240s --log --skip-verify sub --path routing-policy/defined-sets/prefix-sets/prefix-set[name=VR_OC+bgpimp+test_import]/state/name  --mode once

The result will give create gRPC connection that will stream results as changes are made to the PAN-OS BGP routing policy on the VR_OC virtual router.

"updates": [
    {
      "Path": "routing-policy/defined-sets/prefix-sets/prefix-set[name=VR_OC+bgpimp+test_import]/state/mode",
      "values": {
        "routing-policy/defined-sets/prefix-sets/prefix-set/state/mode": "IPV4"
      }
    }
 ]

Routing Policy

Manage Routing Policies